[Full-disclosure] Re: strange domain name in phishing email

sheeponhigh wrote:
hi there
It is very strange thing. I have done the following tries.

trying result
http://172.21.12.250 success
http://2887060730 failed
http://2887060730/ failed
telent 2887060730 80 failed
ping 2887060730 success
http://1406379699(phishing web site mentioned by Jianqiang Xin )
success http://1406379699/(phishing web site mentioned by Jianqiang
Xin ) success

Could anyone give me some idea?
Thanks.

It depends on the webserver whether it accepts the address in that form.

IE is happy with the numeric address, it connects to the webserver and
sends a HTTP request. Part of HTTP since version 1.1 is the "Host:" header.
Because there might be several vhosts on a single machine all answering to
the same address, a webserver that receives a request like

GET /index.html HTTP/1.0

can't know which one of the vhosts was referred to, because it isn't implied
by the IP address and isn't in the URI get-request. So in http version 1.1,
the Host: header was added. Then, if www.aaa.com and www.bbb.com are on the
same webserver, we can tell whether a request for "/index.html" means
www.aaa.com/index.html or www.bbb.com/index.html by looking at the new Host:
header, which will be part of the request:

GET /index.html HTTP/1.1
Host: www.aaa.com

The reason that most webservers will reject it if the Host: header has a
numeric IP address is that the webserver already knows the IP address; the
only point of a host header is so it knows which of multiple dns names was
resolved to that IP address and hence which of the multiple vhosts it should
route the request to. If the Host: header contains only a numeric IP, not a
dns FQDN, it isn't any use in allowing the server to discriminate between
vhosts.

For more info, see the RFC for the HTTP spec and look up the bit about the
Hosts: header.

cheers,
DaveK
--
Can't think of a witty .sigline today....



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • experiment supports concept of using host header names as securit y layer
    ... ISAPI filters can't evaluate a request until a virtual site has been ... selected and its set of running ISAPI filters has become known to the IIS ... As a quick experiment in using a host header name as a security device, ...
    (Focus-Microsoft)
  • Re: 400 - Bad requests under II6
    ... Your client is not sending Host: header, ... You configured a website on the server to only respond to a certain Host: ... header -- so the first request to port 80 works ...
    (microsoft.public.inetserver.iis)
  • Re: using stream_context_create to make valid HTTP request headers
    ... While I do have the website's permission to fetch the feed, their host ... My script should now be making a valid request ... ... The User-Agent header should refer to the version of the software ... why do both of these headers refer to MYSITE? ...
    (comp.lang.php)
  • Re: IIS 5 Host Headers not working
    ... When a client makes a request to a server, it sends a HTTP header called ... "Host", like so: ...
    (microsoft.public.inetserver.iis)
  • Re: newbie needs some help
    ... you point the DNS records for all websites to one IP and setup host ... headers in the webserver, so basically the webserver receives all requests ... and determines what website to server based upon the host header passed to ... here is the link on using host header.. ...
    (microsoft.public.windows.server.dns)